Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

smitty777 writes "The Wall Street Journal is reporting on some unprecedented steps being taken by major financial institutions to combat online theft. The initiatives include a new type of data center that would be used to analyze bank data for potential security threats. Additionally, a quarterly round-table between the rivals to attack security issues was proposed. The article notes that 'security threats are pushing the big banks to do something that doesn't come naturally for these secrecy-steeped institutions: share information with one another.' A video at MarketWatch digs into it a little bit more, and points out that the banks will spend an estimated $1 billion on protection this year, which represents a 12% increase. Technologically, there has been much discussion of two-factor authentication to improve security. In fact, security officials in Singapore are even hinting at biometric solutions."

Right now you have many companies who have differing levels of protection. This would be akin to each state being in charge of its own military. Ideally, by pooling said resources a better overall military/defense could be formed. Redundancy removed, funds freed up for more high level prevention.

Of course, that is being optimistic. Pessimistically, they'll agree to combine all their funds, use 10% (90% to bonuses for thinking of this savings) of it for this venture, outsource it to a company in India, who outsources it to China, who out sources it to South Korea (which gets linked to North Korea and sold to Russia), who out sources it to a vocational school in Seattle.

Recall the old adage that Canada should be the best place in the world, with French culture, British politics, and American industry. Instead, they somehow ended up with French politics, British industry, and American culture. This cooperation between banks will doubtless combine their weaknesses while discarding their strengths in a similar way.

Having used both name/password, electronic tokens etc. to access my financial data, I would like to see an objective analysis of their security. I personally prefer the electronic tokens used by several Dutch banks (ING, Rabobank, ABN AMRO), above the name/password features used by American banks (BofA, Wells Fargo, Chase, JP Morgan, Credit unions, etc.). But the main question is: how do they perform in real-life? Which schemes lose more money to scamming or phishing?

Evaluating the performance of my parents (70+) with modern authentication schemes, does not bode well. My parents are generally unable to distinguish phishing mail from real mail - how should banks balance the convenience of email against the requirements for safety?

Can anyone point to objective evaluations of bank security and authentication schemes?

... At an industry conference in 2003,..., the chief technology officer of a large bank said... "We don't want to talk about fraud in front of anyone."

You'll never see an objective analysis of their security and you'll never learn which banks are subject to fraud, except where State/Federal law requires disclosure.If we learned about the $$$ value of fraud that banks write off, there would probably be public outrage and a crisis of confidence in the banking system,especially now with the mortgage crisis and bank bailouts fresh in the public's mind.

If we learned about the $$$ value of fraud that banks write off, there would probably be public outrage and a crisis of confidence in the banking system,especially now with the mortgage crisis and bank bailouts fresh in the public's mind.

If you want to know the value of fraud, just look at any major bank's quarterly statement. It's usually broken out by line-item.

Biometrics; great; Like in Mexico, they will take your hand if you are lucky. If you aren't lucky, the bank will have some kind of life detector which will check if the hand is alive. In that case the gang just takes you along with your hand and then disposes of both together after the crime. With the exception of the situation where there's a guard actually checking that the ID system is being used right by a single person, what could be stupider than using a security token you can't change.

> Like in Mexico, they will take your hand if you are lucky. If you aren't> lucky, the bank will have some kind of life detector which will check> if the hand is alive.> In that case the gang just takes you along with your hand and then> disposes of both together after the crime.

Biometrics; great; Like in Mexico, they will take your hand if you are lucky.

That example is a tad outrageous, as I believe the end goal was an RFID implant. Besides, if you can get their fingerprint, you can make a latex copy. I'm pretty sure that the 'gummy' fingerprint technique can still fool most dermal scanners.

The specific example was installation of palm readers in ATMs. I don't remember anything about the RFID bit have a link? I don't see that it help, nor the fact you can forge the fingerprint readers easily with a rubber glove. Anything which is beyond the abilities and patience of a guy with a gun is a bad idea. What is needed is a PIN code with a maximum daily limit and a gradually extending authorisation system depending on the size of the transaction taking place. For example: if it's 100 your PIN is

My broker's website is so full of javascript and pop-ups I am terrified to use it. I pulled my retirement from that broker and went to a "brick-and-mortar" institution, only because I know how easy it would be to fool me with a clever javascript to redirect me to a bogus site.

I feel completely powerless when talking to a office guy whose instructions are to toe the company line and ignore the customer's pleas to not put this kind of code on a financial site. I am left stewing kn

Biometrics must be the 'security' concept that combines the worst features with the best wiz-bang sci-fi aesthetic appeal... I can only assume that it was invented during a sort of 'product blackjack', where a group of players competed to see who could come up with the most awful ideal that could still be successfully sold...

"Hey guys, I'm trying to build a truly awful security system. Can anybody think of something like a password, only absurdly hard to change voluntarily, occasionally changed traumatically by forces beyond the user's control, and preferably left in traces all over the place during the course of daily life? Drinks are on me if successfully compromising it for one institution renders it strongly likely that it will be compromised across a large number of unrelated ones simultaneously!"

The only place I can see biometrics being useful is as part of a hashing algorithm where some other factor is a secret. In this case, it's not the primary securing factor, but it is yet another piece of information about you that the attacker must have to generate the appropriate hash.

Of course, "biometrics" is awfully hand-wavy. Because fingerprints/retina scans/vein topology/etc aren't digital, the actual algorithms that digitize them have a large margin of error, and any hash in the appropriate set wil

Yes. Yes I do expect that. Anything less is smoke and mirrors. The infrastructure is in place for the bank, all they need to do is replace that "Verified by Visa" / "Mastercard Securecode" bullshit with this service.

Banks have already been sharing info with the National Cyber-Forensics & Training Alliance (NCFTA) which is a non-profit non-government entity. The NCFTA acts as a middle man between banks/other high value targets and law enforcement. They also do aggregate analysis on the attacks seen by multiple institution to determine if there are larger trends.

Of course it sounds good that the banks want to coordinate their security efforts. Probably one part of their analysis has to create profiles of common usage to be able to discern uncommon and possibly dangerous usage. These profiles will be much more detailed than their internal ones. Might they not use those profiles for other things like customer scoring, targeted advertising, etc., too? Or should I assume that they already share some data about their customers?

Seeing as metals have significant security issues [wikipedia.org] also, this makes as much sense as, well, it doesn't make sense. Change one token for another?

Anything the least bit tangible can be stolen, even data. Seeing as data snatch-and-grabs are all the rage, how banks can escape the fate of some other outfits that should by their very definition be more secure escapes me. It's a cat-and-mouse game. For banks, the goal may be to prevent break-ins, but the best result is probably to detect them quickly, perhaps e

Maybe it's the enginieer in me but couldn't we make a machine to test the authenticity of metal coins? Given that metals have specific density and conductivity it would be pretty hard to make a coin with the same size, shape and conductivy than a silver or gold one for instance.

How about the consumer and unions come together and take unprecedented steps to combat theft by banks and the Wall Street? First they commited fraud in multi-billion dollars, then get the money from the tax payers to not get bankrupt and now forcing the Europe and the USA into a degaced long recession by austerity and anti-labor politics.

Unless you are a loan officer or manage loan officers there is no money in banking, especially not in I.T. Never has been, never will be. Over 10 years working I.T. for many banks proved that to me, until I finally wised up and got out of the industry. They don't spend a single penny more than they have to on salary, hardware, software, or security. Maybe this will change when a new generation of presidents, board members, etc comes to power, but as long as it's still the same old white men you can give up

i can possibly rely on my financial institutions to keep me financially safe. i hit wells fargo this morning to change some coins into dollars and the banker at the counter couldnt count them without a plastic dowel to arrange them in. The entire time the banker on the floor lectured me without provocation about the banks many incredible services and why i should become a member right away. neither one thought to send me on my way with coin rolls perhaps.

On the heels of MS sharing all info they have gotten from the malware with all the major big banking companies and law agencies, this is yet another great step towards uniting against a 5 billion dollar a year industry, identity theft/fraud!

I applaud it, although they might need to sanction some sort of governing body to help make decisions, else you might get one that wants to take their ball home if they don't play the way they like.

On the plus side, it just means more ideas will be shared across the boar